ICO fines ACS:Law's Crossley for data leak

Information Commissioner said the £1,000 fine would have been £200,000 if the data controller had not been of 'limited means'

The Information Commissioner's Office (ICO) has fined the owner of former solicitors firm ACS:Law £1,000 for failing to keep sensitive personal information relating to about 6,000 people secure.

The owner and former data controller, Andrew Jonathan Crossley, escaped a larger fine because he was deemed to be of limited means. However, Information Commissioner Richard Graham said the fine would have been £200,000 given the severity of the breach. ACS:Law ceased trading in February.

The move follows last month's criticism of the ICO for the limited number of fines levied by it since last April, when it was granted the power. It has fined just four out of the 603 organisations accused of a data breach since last April.

Graham said: "This case proves that a company's failure to keep information secure can have disastrous consequences. Sensitive personal details relating to thousands of people were made available for download to a worldwide audience and will have caused them embarrassment and considerable distress.

"The security measures ACS:Law had in place were barely fit for purpose in a person's home environment, let alone a business handling such sensitive details," he added.

Crossley and ACS:Law specialised in pursuing alleged copyright infringement cases on behalf of copyright holders from the music, video games and adult film industries. The firm had written to thousands of individuals who were alleged to have broken copyright law. They were pursued using information obtained from individuals' internet service providers (ISPs).

In September 2010, ACS:Law's web site was subjected to an online attack that caused it to crash. After the attack a file containing emails between ACS:Law staff, and some to and from ISPs or members of the public, appeared on a web site that allowed anyone who downloaded the file access to around 6,000 people's sensitive personal information. This included individuals' ISP account details, their names and addresses, their IP addresses and information about the content they were alleged to have illegally copied.

Some of the emails also included people's credit card details, as well as references to their sex life, health and financial status.